The government has announced that starting January 1, 2025, the Kenya Revenue Authority (KRA) will begin overseeing the sale of all locally assembled and imported mobile phones to ensure adherence to tax regulations.
According to new guidelines released this week by the Communication Authority of Kenya (CA), manufacturers, importers, retailers, and mobile network operators will be required to upload the International Mobile Equipment Identity (IMEI) numbers for all devices assembled or imported after November 1, 2024, into a KRA portal for tax compliance tracking.
So, what exactly is an IMEI? An IMEI number is a unique 15-digit identifier assigned to each mobile device, which is used by mobile network providers to verify the authenticity of devices.
In many nations around the globe, IMEI numbers are primarily utilized for security reasons rather than for tax compliance. Law enforcement agencies collaborate with network providers to track stolen or compromised devices, enabling them to restrict access to the network.
Typically, tax compliance is managed at customs and clearance points in most jurisdictions. This context has led to concerns regarding the Kenya Revenue Authority’s (KRA) initiative to monitor compliance through IMEI numbers, as it may infringe upon the privacy rights of Kenyan citizens and introduce various risks.
The Data Protection Act, which regulates data privacy, grants individuals several rights, including the right to be informed about how their personal data will be used. Furthermore, the law authorizes data controllers or processors to collect, store, or utilize personal data only for legitimate, specific, and explicitly defined purposes.
Before gathering personal data, these entities must inform individuals about their rights and the purpose of the data collection. They are also obligated to disclose information regarding any third parties to whom the personal data may be transferred, provide contact details for the data controller or processor, and clarify whether additional entities will receive the collected data.
In this context, the law permits data processors and controllers, such as banks, telecommunications companies, or government institutions, to collect personal data as long as there is a justifiable reason, such as legal requirements like those faced by the KRA in their pursuit of tax-related information.
Analysts express skepticism regarding the government’s recent initiative, highlighting potential violations of the data minimization principle. This principle stipulates that only the essential amount of personal data necessary for delivering a service should be collected. Essentially, it dictates that one should not gather more information than what is required for a specific service.
A Nairobi-based lawyer specializing in intellectual property and technology, who preferred to remain anonymous, stated to Citizen Digital, “If you are obtaining an IMEI number from an individual, you must demonstrate that this information is absolutely vital for your intended purpose; otherwise, it constitutes an overreach. If the Kenya Revenue Authority (KRA) can achieve its objectives using other forms of data, then the request for IMEI numbers could be viewed as excessive. For tax identification, can’t there be alternative information that is less intrusive?”
The apprehension arises from the significant power associated with IMEI numbers, which allow for device tracking, unlike other unique identifiers such as phone serial numbers that can identify handsets but do not enable tracking. The primary function of an IMEI number is to assist network providers like Airtel, Safaricom, and Telkom in tracking devices, disabling stolen phones, and enforcing security protocols.
Sarah Mumbua, a commercial attorney, raised an important point regarding the directive, questioning who exactly is deemed tax-compliant. “Is it the stakeholders and end users, or does compliance extend to a mobile device itself? Can a mobile device truly be classified as tax-compliant in a strict sense?” she inquired.
Moreover, the potential for misuse of this data, particularly regarding state surveillance, poses a significant concern. Raymond Kamau, a cybersecurity expert, explained that each time a phone connects to a network, its IMEI number is transmitted to the provider. This information enables the identification of the device’s location and facilitates connections with local networks, making it easier to find a stolen phone based on its last known connection. “It’s frequently utilized to locate missing individuals and to analyze the calls made from their devices to monitor their movements,” Kamau stated.
Building on this, Mumbua raised alarm about the potential for revenue authorities to use IMEI numbers to track individuals’ locations without prior consent, thereby violating their right to privacy. The Kenyan government has faced accusations in the past for collecting customer data from mobile network operators for surveillance purposes. During the peak of anti-government protests in Kenya in June over proposed tax increases, there were widespread concerns that some telecommunications companies were colluding with law enforcement to share customers’ location data in order to track and apprehend citizens, a move many viewed as an effort by the State to suppress dissent.
“We must acknowledge the reality of the existing government,” states an expert in intellectual property and technology law. “It’s uncertain whether this information will be disseminated to other government agencies for various reasons.” Cybersecurity specialist Kamau adds, “The sharing of IMEI numbers should be restricted solely to network service providers. Does this imply that the KRA will now function as a network service provider?” He notes, however, that IMEI numbers could play a role in identifying both authentic and counterfeit products in the Kenyan marketplace, a concern the government has attempted to tackle through the contentious Device Management System (DMS).
Launched in 2016, the DMS enables the Communications Authority (CA) to access the unique identification number for every active mobile device in Kenya, allowing it to deny services to counterfeit devices. This initiative has faced pushback from local telecommunications companies and activists, who have raised alarms about potential surveillance and violations of privacy.
Activist Okiya Omtatah even filed a lawsuit against the CA, and in a 2017 ruling, the court deemed the DMS “a threat to subscriber privacy,” instructing the regulator to adopt less invasive measures. The legal dispute continued to the Court of Appeal and subsequently to the Supreme Court, culminating in April of last year when the Supreme Court authorized the CA to proceed with the DMS implementation.
MONITORING COMPLIANCE While it remains unclear whether the new guidelines issued by the communications regulator are directly associated with the DMS, the CA has now mandated that all local phone manufacturers report the IMEI numbers of every assembled device to the KRA, mirroring the requirements for all imported mobile phones intended for sale, testing, research, or any other purpose.
On the other hand, retailers and wholesalers are instructed to sell only devices that meet compliance standards. Meanwhile, network carriers are required to connect devices to their networks only after confirming their tax compliance status via a whitelist database of approved devices, provided by the KRA. According to the communications regulator, these new regulations will take effect for all devices imported or assembled in the country starting November 1, 2024. It was also noted that all existing devices on mobile networks as of October 31, 2024, will remain unaffected by these changes.